PCI-Put Controls In?

Over the last six weeks, we have seen the hustle and bustle of the holidays subside only to make way for the flurry of breaking news stories about major cyber crime heists. These stories can certainly speculate on what happened, who is going to get sued and who was ultimately responsible for stealing massive amounts of financial and personal data from large retailers. Truth be told, the story has not been completely written yet…

As we discussed live yesterday in our TARGETed Attack webinar, PCI compliance (Payment Card Industry) is a baseline framework of best practices and controls to help protect the processing and handling of payment card data. As our payment card networks evolve to incorporate more third party capabilities to facilitate a transaction, our need to manage and mitigate the risk of attack is going up exponentially.

Through all of the muck and mire we have been witnessing and some of us feeling it directly, it is important to reflect on a couple of key aspects. First, organized crime has fully propagated to cybercrime now in 2014. We should expect that targeted attacks will continue to circumvent traditional forms of security such as signature-based antivirus and legacy network-based technologies. Secondly, a new approach to threat defense is required. Organizations have to protect their ecosystems by first thinking like an attacker. Consumers of services also understand the risks and the mechanisms to protect their identities and sensitive data. Assume you will be compromised and then defend accordingly. Offense most definitely informs defense…

Many friends, family and colleagues have been asking me why these breaches happened if there are standards in place such as PCI to ensure merchants and service providers are protecting our sensitive cardholder and personal information. For example, Michaels is now a repeat offender of the PCI standard. In all fairness, standards need to evolve with new technologies and new threats. The PCI Standards Council does a good job of trying to revise their specification as appropriate but many organizations struggle to keep pace. As more merchants bring more technology transformation, big data analytics and cloud-based services into their purview, new attack vectors and opportunities for vulnerabilities are realized. Organizations today are expected to add more value to their customers, drive sales and do this with less budget. Training and security awareness for employees and management is important now more than ever. Board level conversations should increase the level of awareness and quantify business risk related to cyber-attacks. Additionally, finding the right skilled employees, innovative technology, and security partners is essential to keep informed and prepared. Most of us don’t have time to be security experts and current with all aspects of the cybercriminal underground. Lastly, having a thoughtfully crafted incident response plan that can be dynamic and repeatable will be key when dealing with attacks of this nature.

In the PCI compliance space, auditors tend to do more due diligence with larger retailers and merchants due to the number of credit cards they process. For example, if you process more than 6 million debit and credit cards, this typically puts you in the highest category for PCI and requires you to get audited onsite by a QSA (Qualified Security Assessor). These certified organizations and auditors spend one to two weeks onsite with the merchant going through all of the PCI Standards. The goal of this exercise is to achieve a (ROC) Report on Compliance. Looking not only at documentation for supporting the controls but also attesting that you are following the controls. This is done by looking at logs, management consoles and internal/external vulnerability scans. This is very much a sprint engagement for both the merchant and the QSA and many times the goal posts move prior to and after the audit is conducted. People, process and technology all have to be extremely balanced in a PCI compliant shop. Some are running on all cylinders, many are not and the attackers are taking advantage of this. Risk management plays into this equation on a large scale as some organizations leverage compensating controls to mitigate some of their risk if they do not meet every aspect of a particular PCI standard. The level of adequacy has to be agreed upon by the QSA and merchant/service provider.

Many PCI organizations have trouble scoping all of their networks that touch cardholder data or could be eventually touched if a breach occurs. This also extensively includes what third parties touch your payment card operations and their security controls to protect your information. This often leaves QSA’s at a disadvantage for auditing everything that could come into play should an attacker achieve a foothold in an organization that processes cardholder data. As information leaks about the Target breach, we are seeing how the attack lifecycle can allow an attacker to jump from a secured network to a publicly accessible network through nefarious tactics.

These major retailer investigations will be analyzed heavily by the PCI standards council and fines levied. For Neiman Marcus, it most likely will be more punitive and quite frankly should be considering they are indeed a repeat offender. The new standard for PCI 3.0 has been released and organizations will be determining the deltas from the previous version to determine where to flex in the core areas of people, process and technology. At its foundation, the concepts and construct of the PCI standards is very good. Where many get tripped up is often in the execution because organizations deploy complicated technology that is difficult to manage, produces a lot of noise i.e. false positives and is often not the right arsenal of weapons engineered to effectively keep pace with the feverish assault on our networks. PCI, Put Controls In and more importantly, put the right controls in you can cost effectively manage 24×7.

Look to the Threat Defense Experts that can help you create a Custom Defense strategy for your organization.